Analysis
-
max time kernel
114s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe
Resource
win10v2004-20241007-en
General
-
Target
9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe
-
Size
708KB
-
MD5
819ea369a68797df911481f40f80ccc0
-
SHA1
ea3cf8ffb12c9e1540e928b7c9ce3100b13e8d59
-
SHA256
9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3
-
SHA512
18e6827072533c04d7e4094c1aebcb1ed3e7b9e1b1ee8f8863af095ee108ef30da5fae0a498739386072e103906428df0677a747d681c9b9968388d20f9bef24
-
SSDEEP
12288:2MrM3y90hvjFMlb26MxC2QOCsk4WHU82Lka1/ZClxW4qWhvCWDLKSrvHGYL:qyYvrxQOj9QaJ+iWdCqKavHGQ
Malware Config
Extracted
redline
gena
193.233.20.30:4125
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detects Healer an antivirus disabler dropper 19 IoCs
Processes:
resource yara_rule behavioral1/files/0x0032000000023b75-12.dat healer behavioral1/memory/4060-15-0x0000000000C90000-0x0000000000C9A000-memory.dmp healer behavioral1/memory/816-22-0x00000000048E0000-0x00000000048FA000-memory.dmp healer behavioral1/memory/816-24-0x0000000004B40000-0x0000000004B58000-memory.dmp healer behavioral1/memory/816-25-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-34-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-52-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-50-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-48-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-46-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-45-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-42-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-40-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-38-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-36-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-32-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-30-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-28-0x0000000004B40000-0x0000000004B52000-memory.dmp healer behavioral1/memory/816-26-0x0000000004B40000-0x0000000004B52000-memory.dmp healer -
Healer family
-
Processes:
mx9117dF.exens5586Ci.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mx9117dF.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ns5586Ci.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ns5586Ci.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ns5586Ci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mx9117dF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mx9117dF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mx9117dF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mx9117dF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mx9117dF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ns5586Ci.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ns5586Ci.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ns5586Ci.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/4864-60-0x0000000004AE0000-0x0000000004B26000-memory.dmp family_redline behavioral1/memory/4864-61-0x0000000004BA0000-0x0000000004BE4000-memory.dmp family_redline behavioral1/memory/4864-83-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-69-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-67-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-65-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-63-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-62-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-95-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-93-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-91-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-89-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-87-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-85-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-81-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-79-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-77-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-75-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-73-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline behavioral1/memory/4864-71-0x0000000004BA0000-0x0000000004BDE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
Processes:
will6192.exemx9117dF.exens5586Ci.exepy59KD76.exepid Process 4712 will6192.exe 4060 mx9117dF.exe 816 ns5586Ci.exe 4864 py59KD76.exe -
Processes:
ns5586Ci.exemx9117dF.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ns5586Ci.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mx9117dF.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ns5586Ci.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exewill6192.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" will6192.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 2444 816 WerFault.exe 95 2904 816 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exewill6192.exens5586Ci.exepy59KD76.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language will6192.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ns5586Ci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language py59KD76.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
mx9117dF.exens5586Ci.exepid Process 4060 mx9117dF.exe 4060 mx9117dF.exe 816 ns5586Ci.exe 816 ns5586Ci.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
mx9117dF.exens5586Ci.exepy59KD76.exedescription pid Process Token: SeDebugPrivilege 4060 mx9117dF.exe Token: SeDebugPrivilege 816 ns5586Ci.exe Token: SeDebugPrivilege 4864 py59KD76.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exewill6192.exedescription pid Process procid_target PID 3452 wrote to memory of 4712 3452 9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe 83 PID 3452 wrote to memory of 4712 3452 9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe 83 PID 3452 wrote to memory of 4712 3452 9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe 83 PID 4712 wrote to memory of 4060 4712 will6192.exe 85 PID 4712 wrote to memory of 4060 4712 will6192.exe 85 PID 4712 wrote to memory of 816 4712 will6192.exe 95 PID 4712 wrote to memory of 816 4712 will6192.exe 95 PID 4712 wrote to memory of 816 4712 will6192.exe 95 PID 3452 wrote to memory of 4864 3452 9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe 102 PID 3452 wrote to memory of 4864 3452 9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe 102 PID 3452 wrote to memory of 4864 3452 9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe"C:\Users\Admin\AppData\Local\Temp\9f84c29c9ce75bf779c08e475559b8ac687f60d7992bb41fc936257157bb70d3N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6192.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\will6192.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mx9117dF.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mx9117dF.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ns5586Ci.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ns5586Ci.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 10284⤵
- Program crash
PID:2444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 10884⤵
- Program crash
PID:2904
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py59KD76.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\py59KD76.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 816 -ip 8161⤵PID:1168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 816 -ip 8161⤵PID:2624
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD5dac9d17f293b1b656b29ac0aa74881f5
SHA1d7d2091bc1a73b41372d12d2f24c6e5e28c481d8
SHA2563abdaadd2f7e8294316f1ab49e26805fcc77fc0c838c3f505b900506617f1f93
SHA512225169346f1a908829625677cdd5381f90441b606641aa52c714a23ab970746dfee8a4fc8218b06165cf00dbf76a12bc3d0b20d562b876a1eccfa4982437a739
-
Filesize
355KB
MD5b2396c9a25702454d5cab24ee0644bb0
SHA1d90ab89c01dd6c01d7cba2f44d5898102d8be4c8
SHA25649319c6458843d1876f2278cfd62f0539f90f2571d016b65d5e8f9e4b0f35666
SHA512767549a028254a15c2df2a477ba76398934808674867423ab4b17532f47d02807523e08033912a5bece87bf33dafb239c474bd92114dcfce3ead1572765609ec
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
333KB
MD52f78077a28277376e5238b8b369fcd5f
SHA1ffd1bd9d1b161c11fb4b78ae3ddebfdbac4371fb
SHA2566afb645b6fb3439bf44d3f9dc0eeb68f4a1b78bc36a62d9e1852f804cddfa4ee
SHA5127a7aea0f049c7473712585b6cc867f79ea7ff377c397e8418d2b63d8584415cdaae9a7cc1dbc306ce89a286edad1e53958037e62feca51609507d20e1e615a0f